Microsoft patched a critical Excel XSS flaw on March 10, 2026. CVE-2026-26144 turns the Copilot Agent into a silent information theft channel that requires no user interaction. An attacker-crafted spreadsheet viewed in the Preview Pane instructs the AI assistant to send document contents to an external server.
The fix landed in an 84-CVE Patch Tuesday release with eight critical-severity patches. Microsoft rated CVE-2026-26144 Critical despite a CVSS 7.5 base score. Information disclosure vulnerabilities rarely receive that severity level, but the theft risk jumps when an autonomous AI agent enters the chain.
Excel fails to sanitize attacker-controlled input during web page generation. The condition falls under CWE-79, a standard XSS classification. On its own, cross-site scripting in a desktop spreadsheet app would raise moderate concern. What changes the equation is Copilot Agent, the GenAI assistant in newer Office versions that can read documents and initiate network requests on its own.
Malicious input that survives sanitization issues instructions to the AI assistant. Copilot Agent then sends cell contents, formulas, or contextual information to an attacker-controlled server.
The entire chain fires from the Preview Pane without the victim opening the file.
This is a fascinating bug and an attack scenario we're likely to see more often.
— Dustin Childs, head of threat awareness, Trend Micro Zero Day Initiative
CVE-2026-26144 is the third Copilot vulnerability with zero-click or low-interaction exploitability found in under a year. In June 2025, Aim Security disclosed EchoLeak (CVE-2025-32711), the first documented zero-click attack against an AI agent. That exploit used indirect prompt injection to steal content from Microsoft 365 Copilot via crafted image URLs. Microsoft needed five months to patch it.
Varonis disclosed Reprompt (CVE-2026-24307) in January 2026 as a single-click Copilot Personal hijack. Permiso Security's Andi Ahmeti reported CVE-2026-26133 in the same March cycle. That cross-prompt injection attack turned Copilot's email summarization in Outlook and Teams into a phishing content generator.
Barrack AI's Q1 2026 analysis grouped all four Copilot issues as an emerging attack class. Traditional weaknesses (XSS, parameter injection, cross-prompt injection) get amplified when autonomous AI agents act on unsanitized input.
Information disclosure vulnerabilities are especially dangerous in corporate environments where Excel files often contain financial data, intellectual property, or operational records. If exploited, attackers could silently extract confidential information from internal systems without triggering obvious alerts.
— Alex Vovk, CEO and co-founder, Action1
No active exploitation of CVE-2026-26144 existed at the time of disclosure. The flaw was not publicly known before the March 10 patch. Action1's Vovk recommends three interim measures for teams that cannot update immediately. Restrict outbound traffic from Office apps, monitor unusual network requests from Excel.exe, and disable Copilot Agent.
Exploitation of CVE-2026-26144 produces detectable network indicators. Outbound POST requests containing structured payloads (CSV, JSON, HTML fragments) shortly after a new workbook arrives deserve scrutiny. New or rare User-Agent strings from Office processes reaching destinations outside corporate allowlists are another red flag.
February's Patch Tuesday forced emergency attention for six actively exploited zero-days. March proved calmer. The release covered 84 CVEs with zero active exploits. Two were publicly known before the patch, CVE-2026-26127 (.NET denial of service) and CVE-2026-21262 (SQL Server privilege escalation, CVSS 8.8).
Two other high-severity Office defects target the same Preview Pane vector. CVE-2026-26110 (type confusion, CVSS 8.4) and CVE-2026-26113 (untrusted pointer dereference, CVSS 8.4) both allow remote code execution through Outlook's reading pane.
When a simple document preview can trigger code execution, attackers gain a doorway directly into the system.
— Jack Bicer, director of vulnerability research, Action1
Preview Pane RCE problems have surfaced repeatedly over the past year, according to ZDI's Childs. He warned it is just a matter of time before they show up in active exploits. On March 3, 2026, Zenity Labs researchers Stav Cohen and Michael Bargury disclosed PleaseFix, a separate issue in Perplexity's Comet agentic browser. It allowed file exfiltration triggered by a Google Calendar invite with hidden prompts.
CVE-2026-21536 scored the highest CVSS in the March release at 9.8. XBOW, an autonomous AI penetration testing agent ranked #1 on HackerOne's U.S. leaderboard, found the bug in Microsoft's Devices Pricing Program. Microsoft fixed it server-side with no customer action required.
Organizations running Excel with Copilot Agent should apply the March 2026 update as top priority. The zero-click exploitation path and AI-driven exfiltration make CVE-2026-26144 operationally more severe than its 7.5 score suggests. Security teams should audit Copilot Agent deployment policies and watch for anomalous outbound traffic from Office processes. Disabling the reading pane in Outlook mitigates the related Preview Pane RCE weaknesses until patches roll out.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
